Abstract: In an embodiment, a computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. In an embodiment, a private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. In an embodiment, the certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. In an embodiment, the system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Abstract: Disclosed herein are systems and methods that may generate so-called “honey credentials” that are transmitted to a “phishing” website, and are then stored into a honey credential database. The honey credentials appear to be valid credentials, but whenever a bad actor attempts to access an enterprise using the honey credentials, security appliances the enterprise may update the records of the honey credential database to include one or more unique identifiers for each bad actor device that attempts to access the enterprise network using the honey credentials. A server may automatically query the honey credential database to identify other accounts that have been accessed by devices that used the honey credentials to access the enterprise. The server may then flag the accounts and restrict their functionality.

Abstract: Systems and methods are described for using equivalent secret values across different elliptic curves. For example, a transferring party may wish to exchange a first asset on a first blockchain with a recipient for a second asset on a second blockchain. After exchanging sets of public keys with a recipient, a transferring party may generate a zero-knowledge proof and public keys associated with a selected bitstring. The recipient may then verify the proof, which shows that private keys associated with the public keys associated with the bitstring are both derived from the bitstring without revealing the bitstring itself. Once validity of the private keys has been established, the transferring party may publish a second signature to claim the second asset. The published second signature may then be used to publish a first signature (generated using the selected bitstring) on the first blockchain to claim the first asset.

Abstract: Know your customer regulations and security concerns, among other reasons, motivate institutions to ensure that entities with whom the institutions have dealings are who they say they are. A block of the blockchain discussed herein includes entity verifications generated by institutions that participate in the blockchain. An individual verification may include a hash of personal information associated with an entity that was authenticated by an institution. An institution seeking to authenticate (or deny) an entity may receive personal information from the entity, hash that personal information, and search the blockchain for any matching verifications (e.g., by attempting to match the hashed personal information to hash(es) associated with a verification in the blockchain).

Abstract: A target device is associated with a source device. A system includes a target device that enters an association mode, obtains an identification code, and broadcasts the identification code. A source device receives the broadcast, obtains authorization to associate with the target device, and provides a message to an association server. The association server receives the message and associates the target device and the source device in response thereto.

Abstract: The disclosed technology relates to securely sharing data between a hearing care professional (HCP) and a hearing device user. For example, the disclosed technology relates to securely accessing fitting data for a hearing device. The disclosed technology includes a hearing device that has a memory, where the memory stores a key that can be used for encryption and decryption. The key can be a symmetrical key. In addition to storing a key, the hearing device can store a uniform resource indicator (URI) in its memory.

Abstract: The inventive concept provides a security device capable of reducing an area of a die required for implementation of a stable PUF by increasing the value of entropy from a predefined number of entropy sources and/or minimizing a blind zone of a validity checking module. The security device uses an asynchronous configuration to minimize a blind zone. In various embodiments of the inventive concept, the blind zone is generated only in a period when a reset signal is at a first logic level. Therefore, it is possible to minimize the blind zone by minimizing a period in which the reset signal is at such logic level. A semiconductor device, semiconductor package, and/or smart card can be provided with such security device, as well as a method for determining a validity of a random signal using a semiconductor security device.

Abstract: An IC comprising functional circuit to perform primary functions of the IC is provided. The functional circuit is to enable electrical signals to propagate through it within a timing constraint of the functional circuit. The IC comprises at least one canary circuit used for detecting glitch attacks on the circuit. Electrical signals are to propagate through the canary circuit(s) within a defined timing constraint of the canary circuit(s). The canary circuit is to provide a signal path designed such that in the event of a timing constraint of the functional circuit(s) is violated due to a glitch attack, also the timing constraint of the canary circuit(s) is violated.

Abstract: Various embodiments of apparatuses and methods for protecting data integrity in a content distribution network (“CDN”) are described. Code or data in one of the servers or instances of a CDN might sometimes become incorrect or corrupt. One corrupted server or instance can potentially impact a considerable portion of the CDN. To solve these and other problems, various embodiments of a CDN can designate one or more parameters, which are then identified in a request for content to another entity. In these embodiments, the CDN can generate an encoding of the expected values of the designated parameters. The CDN can then compare, in these embodiments, its encoding of the expected values to an encoding of the values received from the other entity in response to the request. The CDN can validate the content of the response, as well as the identity of the other entity, in some embodiments.

Abstract: Systems and methods for performing a repeat antivirus scan of a file are disclosed. A local database is saved on a mobile device, where each record is added to the database when the corresponding file is recognized as being non-malicious as a result of an antivirus scan. A short hash sum of the file is computed and the long hash sum of the file and information about the antivirus scan performed and corresponding to the first hash sum of the file are found in the aforementioned database. Using the long hash sum, a verdict on the file is requested from the cloud services. An antivirus scan of the file is performed, except when the verdict obtained is unchanged (as compared to the verdict contained in the information about the antivirus scan performed of the obtained record corresponding to the file), and no updating of the antivirus databases has occurred since the date of performing the antivirus scan.

Abstract: Systems and methods providing user privacy in association with decentralized ledger technology are disclosed. Improved methods and systems for access control are disclosed wherein an access request can be received at the distributed ledger to fetch a data file without disclosing requester identity, that can verify the access request at the decentralized ledger as a legitimate request or as a malicious/faulty request, and can assist a user of a legitimate request to access the data and deny access to malicious/faulty requests that are compatible with a decentralized ledger environment.

Abstract: Systems and methods are described that mitigate and/or prevent distributed denial-of-service (DDOS) attacks. In one implementation, a gateway include one or more processors that obtain network data from one or more entities associated with the gateway, provide the network data to a server, and obtain a set of entity identifiers from the server. The set of entity identifiers may be generated based on at least the network data. The one or more processors may further filter communications based on the set of entity identifiers.

Abstract: A computer system, processor, and method for processing information is disclosed that includes watching logical operations to detect unauthorized attempts to access a register, and taking evasive action in response to detecting unauthorized attempts to access the register. In an embodiment, the register is a hidden, secret, restricted, or undocumented register, and the method further includes, in response to unauthorized attempts to access the secret register, locking the contents of the secret register. The evasive action may include one or more of interrupting the operations of the processor; causing the processor to shut-down, malfunction, lock, self-destruct; no longer providing read or write permission or access to the register; releasing data disguised to look like the real register data while not releasing the real data; and combinations thereof.

Abstract: A method is performed at a security device. The method includes establishing a network connection with a client system. After establishing the network connection, the security device receives a first packet from the client system. The first packet includes an identifier, a first counter value, and a first one-time password hash generated by the client system. Based on the identifier received, the security device retrieves from a trusted data store the seed and a second counter value. If the first counter value is larger than the second counter value, the security device generates a second one-time password hash based on the identifier, the first counter value, and the seed. In accordance with a determination that the first and second one-time password hashes match, the security device grants, to the client system, access to one or more network resources protected by the security device via the network connection.

Abstract: One-time password (“OTP”) generation on a smartwatch is provided. OTP generation may include communication between an application on a smartwatch and an application on a smartphone. The request for an OTP may be received at the smartwatch. A biometric identifier may also be received at the smartwatch. The smartwatch application may communicate with the smartphone application. An OTP may be generated within a third-party library within the smartphone application. The generated OTP may be transmitted from the smartphone application to the smartwatch application. The OTP may be displayed on the smartwatch.

Abstract: Disclosed embodiments relate to systems and methods for automatically detecting and addressing security risks in code segments. Techniques include identifying a request from a network identity for an action involving a target network resource, wherein the action requires a temporary access token. Techniques further include performing, based on a security policy, at least one of: storing the temporary access token separate from the network identity and providing the network identity with a customized replacement token having an attribute different from the temporary access token; or creating a customized replacement role for the network identity, the customized replacement role having associated permissions that are customized for the network identity based on the request.

Abstract: A method includes loading each section of an executable program code into a respective page of memory, configuring permissions for a first page including a first section of the executable program code to enable execution of the first section loaded into the first page. The first section associated with a first label. The method also includes configuring permissions for a second page of the memory including a second section of the executable program code to disable execution of the second section loaded into the second page. The second section associated with a second label. Responsive to a determination that a transition from the first section to the second section is allowed during execution of the executable program code, the method also includes changing the permissions of the second page to enable execution of the second section of the executable program code.

Abstract: A tamper sensor assembly includes a lid having a surface and a sensor substrate on the surface of the lid. The sensor substrate has conductive lines that extend across at least a major portion of the surface of the lid and conform to three dimensional characteristics of the surface of the lid. The security processor is electrically connected to the conductive lines of the sensor substrate and is configured to identify occurrence of tampering with the lid based on an electrical characteristic of signals conducted through the conductive lines, and to perform an anti-tampering operation responsive to identifying occurrence of tampering.

Abstract: A user terminal apparatus may include a communication unit for communicating with a server; a memory in which applications are stored; and a processor for executing an application including a first logic which requires security processing, performing mutual verification with the server, controlling the communication unit such that a request for executing the first logic on the server is sent to the server, and when the execution result of the first logic is received from the server, proceeding with the execution of the application by using the received execution result.

Abstract: Systems and methods are provided for use in provisioning a biometric image template of a user to a card device associated with the user. One exemplary method includes authenticating, by a card device, a portable communication device associated with the user based on a certificate associated with the portable communication device and receiving, at the card device, a biometric image of the user from the portable communication device after the portable communication device is authenticated. The method then includes storing, by the card device, the biometric image of the user in a memory of the card device as a biometric image template of the user, whereby the user may be authenticated, by the card device, based on a subsequent biometric image matching the biometric image template.